Virtualization Technology News and Information
VMblog Expert Interview: SecurityStudio Talks Simplifying Cybersecurity and Risk Management


At VMblog, we've covered a lot about cybersecurity and risk assessments over the years.  And as we head into 2023, it is quite clear that these challenges will only escalate.

In our research, we came across a company called SecurityStudio which believes in "mission before money", meaning they serve underserved audiences (schools and state/local governments, notably) to help them get their cybersecurity programs in place. The company also operates with the understanding that the cybersecurity industry is too complex and, in some instances, manipulates buyers with fear to buy more than they need.

To learn more, we reached out to and spoke with Ryan Cloutier, the president of SecurityStudio.  

VMblog:  Tell me a little about SecurityStudio and what the organization does. You have a mission before money mentality that I want to hear about.

Ryan Cloutier:  SecurityStudio helps simplify risk for organizations. We put a heavy emphasis on risk in context - an understanding of an organization's risk, its risk tolerance, and its approach to managing risk. We believe deeply complexity is actually the enemy of cybersecurity, which is a problem in an industry that continues to preach the message that attack vectors and breach types are becoming more complex every day. That might be true, but the way to beat them back, in our highly-trained and practiced opinion, is to focus on the basics and to simplify cybersecurity.

With regard to the phrase "mission before money" - this is how we conduct business. We believe our first priority is to provide service to those we've been charged with protecting - not making a buck off of them. We work with a variety of organizational types, but do put an emphasis on those that we view as underserved by the cybersecurity market; organizations such as schools, state and local governments and SMBs that are in dire need of cybersecurity assistance but are really bound by either budgetary constraints or, often, a scarcity of security expertise.

Before we go about collecting a bunch of profit, we put the client first and do what we can to leave them in a better position than before we were working together. Our work is profitable, but by taking a money-focused, transactional approach to our work, rather than our relationship-based mission approach, the client can be left worse off, which is something we cannot live with.

VMblog:  So, you alluded to it in your previous answer, but over the past 20 years we've continually heard about how complex cybersecurity threats have grown. If that's the case, why does SecurityStudio focus so heavily on simplifying cybersecurity? Shouldn't the path to solving these issues be complex if the threats are complex?

Cloutier:  We do think that cybersecurity has gotten too complex. And we're not alone - Bruce Schneier published a blog in 1999 titled "A Plea for Simplicity" - though our thinking does seem to be in the minority.

The reason the industry is overly complex lies in a fundamental misunderstanding of what cybersecurity really is and how it plays a role in business decisions. The simple math is that complex systems are very difficult - and very expensive - to secure, while simple systems can be secured much more tightly, cost-effectively and in a way that, should you have a security event, allow an organization to recover much faster. Organizations genuinely are trying to do business well, but they get confused or buy into a marketing campaign and purchase multiple systems or tools that do the same thing. That increases the opportunity for bad actors to get into the network and also means that the security team has a harder time crossing the T's and dotting the I's. Think of it this way - if a house has 20 doors, there are 20 ways to get into that house, which means a lot of locks and cameras, etc. If the house only has 2 doors, it's easier to secure and less attractive to bad guys.

Keep in mind, the global cybersecurity market is massive. Gartner predicts that between 2022 and 2026 the information security and risk management category will grow at a rate of 11%, reaching $267.3B four years from now. There is a lot of money in this industry, so its really important that organizations understand they will be aggressively marketed to and that those messages will be full of fear, uncertainty and doubt, driving a very complex "solutions" for very high prices. Organizations need to keep calm and focus on simplifying a very chaotic, noisy market.

VMblog:  If risk assessments are so important, why do people hate doing them or avoid them altogether?

Cloutier:  We hear people say all the time that risk assessments suck. They are too long, they aren't tailored enough for each organization, and honestly, they are too complex. Cybersecurity, in general, needs to be simplified. Since risk assessments are the tip of the cybersecurity sword, they are the first and most natural place to reduce complexity.

One of the biggest issues is that risk assessments take too long, in large part because they aren't tailored to each type of organization. What a state government needs to consider is going to be somewhat different than what a SMB needs to evaluate. We need to take these considerations into account when we put together an assessment for an organization.

Another really important problem is that there's a language barrier. While an enterprise will likely have an IT team or cyber team to conduct a risk assessment, a small municipality probably doesn't have that type of expertise on staff. Neither do some school districts or SMBs. We need to have risk assessments that are written by people for people and that gets rid of the technical mumbo jumbo in favor of business language since cybersecurity is really a business initiative, not a technical one.

Additionally, most risk assessments don't provide a path forward to address the vulnerabilities that the assessment finds. In truth, they are often treated as a failure report - what is wrong and, in many cases, who failed to prevent the problem. This can't stand. A risk assessment needs to be viewed as an opportunity to find out where we're weak and must - MUST - provide defined next steps to solve those problems. An extra plus is a risk assessment that tells you not just how to fix your issues, but prioritizes those fixes in terms of most important to least.

VMblog:  Is there a way to lower the barrier to entry for businesses wanting to be more secure, but not wanting to become IT experts?

Cloutier:  It all starts with finding the right partner who is willing to take the time to understand the clients' needs in the form of their unique business risks, risk profile, risk tolerance, etc. A partner that is a good fit is not going to just recommend blanket solutions that may or may not be right for the organization.

By taking the time to understand an organization's needs as they relate to risk, a good partner can help develop solutions that are effective, affordable and truly reduce risk while improving the speed at which they can conduct business. In some cases this means providing virtual chief information security officer (vCISO) work, whereby the contracted vCISO doesn't get paid for the recommendations she makes. Rather, her work is identifying broken business processes and giving guidance on how to make them less chaotic and more effective.

This goes back to our focus on mission before money. The right partner is going to scout out your cyber issues and make recommendations that work for and protect the organization, not just for their own P&L sheet.

VMblog:  Let's talk about the risk management side of cybersecurity. What are the things that surprise you most about organizations today and the way they manage cyber risk?

Cloutier:  That most organizations still don't understand that cybersecurity and the risk that go along with it are actually a core part of the business. There's a tendency to think of cybersecurity as a technical role, and while there is a technical component to securing an organization's digital assets, it is a business role on level with finance, operations and manufacturing. This idea that cybersecurity is a critical business function is not new - it's been written and talked about for years - but at the end of the day most organizations treat is as an add-on. It's not.

Related to this that surprises me is that businesses that focus on selling analog things - tires, donuts, furniture, etc. - often don't consider that there is a digital aspect to their business, so they do not consider the cybersecurity implications of their work. By this I mean - baking is not a digital job. But ordering flour, sugar, yeast, etc. online or paying vendor invoices via Quickbooks (or the like) involves the internet, which means these businesses are at risk. We need to demystify the role that computers and cybersecurity within what is a considered non-digital work.

VMblog:  Schools and local governments are notoriously behind on technology updates. Do you work within these industries? How do you help those organizations that don't have big budgets to purchase the latest and greatest?

Cloutier:  First and foremost, if someone is trying to sell you on the latest and greatest, run the other direction.

We do work with state and local governments - they are one of our key constituencies because they are truly at risk and are often behind on how to protect their communities. But, for any of our customer segments, we think that focusing on "latest and greatest" is an inappropriate spend.

We partner with state and local governments to help them understand and put in place the fundamentals of cybersecurity. We don't promise that we are going to make them cybersecurity experts. Cybersecurity and cyber risk are really nuanced fields that require specialized expertise. For many organizations - from businesses to non-profits to state and local governments - it's just not feasible to have a staff of internal employees who are truly cybersecurity experts. So, if a local government buys "X" cybersecurity product, do they have the expertise to run it? Will it cost them more to train their team? And if they train their team will they really get the most out of that product when their level of cyber knowledge is very thin?

All organizations need to work with partners that help them ID their true vulnerabilities, find offerings that improve their security posture and show the trust cost of the offering rather than one that will cost them more in the long run.

VMblog:  What should organizations be doing to prepare for new cyber threats that use non-traditional methods of attacks? Things like remote employees that are actually AI deep fakes and not actual people?

Cloutier:  Cyber is part of every business process that organizations have today, so it needs to be considered a key business driver, not an IT cost center. And to bring that info focus for all employees, leadership needs to make sure that cyber is baked into their culture. That the organization talks about it, that employees understand their role to play in it, and that business decisions are made with it in mind.

Once you get your arms around making cyber as much a part of the organizational culture as HR or finance, it's time to go back to basics. Scrutinize your existing processes and ask if you still need what you've already bought. Why is this application even a part of our organization? How dependent are we as a business on the systems we have in place? Are we using them effectively? Are we using them securely?

Like I said earlier, cybersecurity has gotten too complex, and, I truly believe, that every organization can benefit from simplifying their approach. Yes, the threats have grown in complexity, but they are rooted in the same foundation of preying on people and organizations that don't understand how to deal with them. So, do a good risk assessment,see where you are vulnerable and gain clarity. Only then should you make informed decisions about how to invest security dollars going forward.  Go back to the basics and make sure you're doing them cleanly and well. Consider that the fewer tools and systems on your network, the lower your risk, so get rid of the things you don't need.

Published Wednesday, November 16, 2022 7:32 AM by David Marshall
Filed under: ,
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<November 2022>